Sap Generate Public Certificate From Private Key

This blog addresses the need to add certificates to a HANA system and ways to achieve it.

We often want to establish trust between the IDP (identity provider ) and the HANA instance for authentication and authorization purposes.

Sap Generate Public Certificate From Private Key Code

An SSL Certificate is a public key verified and signed by a Certificate Authority. You generate a public/private key pair, then from that generate a Certificate Signing Request (which includes the public key), which you send to the CA. It then signs that public key included in the CSR producing the certificate which it sends. Jan 26, 2015  How to generate an SSL certificate private key as well as a CSR (certificate signing request) using cPanel x3.

So we generate a certificate(e.g use OpenSSL ) and register it to the HANA instance. Then we export the HANA config and import in IDP to make the IDP trust the HANA instance. Finally we download the metadata.xml file from IDP tenant settings and establish the trust between HANA instance and IDP.

There are 2 ways to add certificates to HANA.

  1. SQL command
  2. Manually configuration via HANA cockpit.

Step 1: Generating certificates

Certificate (public) + key(private) = PEM file(privacy enhanced mail format).

If you are using a mac, OpenSSL might be preinstalled. But incase of windows, you might want to download and install if it doesn’t exist already.

Goto the directory where you want to generate the certificate on your system.(use CD command)

openssl req -x509 -sha256 -newkey rsa:2048 -keyout mycertificate.key -out mycertificate.crt -days 1024 -nodes -subj /CN=trust.test.initial

This generates 2 files namely mycertificate.key & mycertificate.crt.

Inorder to generate the PEM file, use the CAT command(concatenate)

cat mycertificate.crt mycertificate.key > mycertificate.includesprivatekey.pem

STEP 2 : Creation of PSE(Private Security Environment)

We can create a PSE(Private Security Environment) in the HANA cockpit. Please make sure that you have the relevant authorizations and privileges.In the below image you can see 3 PSEs that exist.

SQL Command:


HANA Cockpit : You can also do this in the HANA cockpit by going to the certificate collections and adding a collection using the ‘+’ option in the bottom left corner.

Each PSE can contain multiple certificates. You might have to restart the HANA db after the creation of PSE. But there are ways to avoid this restart also.

SQL Command:


HANA Cockpit :You can choose the purpose of the certificate in the dropdown of the particular PSE.

STEP 3 : Adding Certificate to PSE.

Final step is to upload/set the certificate in the PSE.


If you are using webIDE, you might face issues with executing an SQL statement spanning across multiple lines. Hence you might want to use HANA studio/eclipse addin to execute this statement.


Please use the info present in the certificate and key files that you generated earlier to create the sql statement.


HANA Cockpit :

Upload/Import the *.PEM file(generated from certificate + Key) to the HANA instance.

Now you can got to https://<tenant>

SAML Service Provider -> Metadata section and save the contents to an xml file(say hana_metadata.xml). Use this xml file to upload to the IDP to make the IDP trust the Hana instance.

The next task is to make the HANA instance to trust the IDP.

Goto the IDP Tenant Settings —-> SAML 2.0 Configuration & download the config .(say idp_metadata.xml)

Now goto SAML Identity Provider section in the below URL.


Upload the idp_metadata.xml .

You may have other mechanisms to create certificates . But you will have to add it to Hana instance and then make the IDP trust the Hana instance and finally ensure to make the Hana system trusts the IDP. Also, incases where a user application is involved, you should establish trust between the IDP & the user app also.

Imagine that you purchased a SSL certificate from a given CA. This certificate was imported into a SSL PSE and used for HTTPS access. In certain landscapes, the same certificate should be imported in a different server or device (e.g. a reverse proxy). In order to import the certificate into the other server/device, you also need the private key from the PSE. How to export the private key from the SSL PSE?

First of all, SAPCRYPTOLIB 5.5.5 patch level 16 or higher is required. Then you can export your PSE file to a PKCS#12 file.

Sap generate public certificate from private key west

The command line is: sapgenpse export_p12 –p <YOUR_PSE> <P12_FILE>

Please note that you must provide a password for the PKCS#12 file!


The next step makes use of a third party tool, openssl. With this tool we can extract both keys (private and public one).

The openssl command line is: openssl pkcs12 -in <P12_FILE> -out <OUTPUT.txt> -nodes:

The same password must be provided above.

The Private Key is now available in the block BEGIN/END RSA PRIVATE KEY, as you can see below:

Sap Generate Public Certificate From Private Key To Work

Sap Generate Public Certificate From Private Key Mac

Of course, I have removed my private key… 😉